DNSSEC will eventually generate Identical Key ID's
Anand Buddhdev
anandb at ripe.net
Sun Sep 9 18:30:10 UTC 2018
On 09/09/2018 19:51, Mark Elkins wrote:
> Never assume a KeyID is unique. :-)
One of the DNSSEC RFCs specifically says that the KeyID is not meant to
be unique. I can't remember which one, and it's too late on a Sunday
evening to be reading RFCs :)
Even then, I've had the misfortune of dealing with a vendor whose
developers didn't read the RFCs properly, and designed their key store
using the key IDs as indexes. So one fine day, we had a zone signed with
one key, but the DS record came from another key. Boom. Yuck. What a
mess it was to sort out!
Regards,
Anand
More information about the bind-users
mailing list